Role definitions

Role types

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

Name: The name of a role displayed in the user interface (UI).
Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
Level: The specification of whether this role is scoped by the organization or a project.
Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
Escalates to: The specification of whether this role escalates to other roles or not.

All roles have the role type IAMRole. Grant a subject with permissions in the global API server using IAMRoleBinding to a predefined IAMRole. All role and role bindings are global.

Predefined identity and access roles tables for PA and AO

The following tables provide details about the permissions assigned to each predefined role. There are separate tables for each persona:

PA Persona, predefined identity and access roles

PA persona
Name	Kubernetes resource name	Initial admin	Level
AI Platform Admin	`ai-platform-admin`	False	Organization
Audit Logs Platform Restore Bucket Creator	`audit-logs-platform-restore-bucket-creator`	False	Organization
Audit Logs Platform Bucket Viewer	`audit-logs-platform-bucket-viewer`	False	Organization
Billing Viewer	`billing-viewer`	False	Organization
Bucket Admin	`bucket-admin`	False	Organization
Bucket Object Admin	`bucket-object-admin`	False	Organization
Bucket Object Viewer	`bucket-object-viewer`	False	Organization
Bucket Admin	`global-bucket-admin`	False	Organization
Bucket Object Admin	`global-bucket-object-admin`	False	Organization
Bucket Object Viewer	`global-bucket-object-viewer`	False	Organization
Dashboard PA Creator	`dashboard-pa-creator`	False	Organization
Dashboard PA Editor	`dashboard-pa-editor`	False	Organization
Dashboard PA Viewer	`dashboard-pa-viewer`	False	Organization
DR Backup Admin MP	`dr-backup-admin-mp`	False	Organization
DR System Admin MP	`dr-system-admin-mp`	False	Organization
Flow Log Admin	`flowlog-admin`	False	Organization
Flow Log Viewer	`flowlog-viewer`	False	Organization
GDCH Restrict By Attributes Policy Admin	`gdchrestrictbyattributes-policy-admin`	False	Organization
GDCH Restricted Service Policy Admin	`gdchrestrictedservice-policy-admin`	False	Organization
Global PNP Admin	`global-project-networkpolicy-admin`	False	Organization
IdP Federation Admin	`idp-federation-admin`	False	Organization
Interconnect Admin	`interconnect-admin`	False	Organization
KMS Rotation Job Admin	`kms-rotationjob-admin`	False	Organization
Log Query API Querier	`log-query-api-querier`	False	Project
LoggingRule PA Creator	`loggingrule-pa-creator`	False	Organization
LoggingRule PA Viewer	`loggingrule-pa-viewer`	False	Organization
LoggingRule PA Editor	`loggingrule-pa-editor`	False	Organization
LoggingTarget PA Creator	`loggingtarget-pa-creator`	False	Organization
LoggingTarget PA Viewer	`loggingtarget-pa-viewer`	False	Organization
LoggingTarget PA Editor	`loggingtarget-pa-editor`	False	Organization
MonitoringRule PA Creator	`monitoringrule-pa-creator`	False	Organization
MonitoringRule PA Viewer	`monitoringrule-pa-viewer`	False	Organization
MonitoringRule PA Editor	`monitoringrule-pa-editor`	False	Organization
MonitoringTarget PA Creator	`monitoringtarget-pa-creator`	False	Organization
MonitoringTarget PA Viewer	`monitoringtarget-pa-viewer`	False	Organization
MonitoringTarget PA Editor	`monitoringtarget-pa-editor`	False	Organization
ObservabilityPipeline PA Creator	`observabilitypipeline-pa-creator`	False	Organization
ObservabilityPipeline PA Viewer	`observabilitypipeline-pa-viewer`	False	Organization
ObservabilityPipeline PA Editor	`observabilitypipeline-pa-editor`	False	Organization
Org Network Policy Admin	`org-network-policy-admin`	False	Organization
Organization Backup Admin	`organization-backup-admin`	False	Organization
Organization Cluster Backup Admin	`organization-cluster-backup-admin`	False	Organization
Organization IAM Admin	`organization-iam-admin`	True	Organization
Organization IAM Viewer	`organization-iam-viewer`	False	Organization
Organization DB Admin	`organization-db-admin`	False	Organization
Organization Upgrade Admin	`organization-upgrade-admin`	False	Organization
Organization Upgrade Viewer	`organization-upgrade-viewer`	False	Organization
Project Bucket Admin	`global-project-bucket-admin`	False	Organization
Project Bucket Object Admin	`project-bucket-object-admin`	False	Organization
Project Bucket Object Viewer	`global-project-bucket-object-viewer`	False	Organization
Project Creator	`project-creator`	False	Organization
Project Editor	`project-editor`	False	Organization
SIEM Export Org Creator	`siemexport-org-creator`	False	Project
SIEM Export Org Editor	`siemexport-org-editor`	False	Project
SIEM Export Org Viewer	`siemexport-org-viewer`	False	Project
System Cluster Backup Repository Admin	`system-cluster-backup-repository-admin`	False	Organization
Transfer Appliance Request Creator	`transfer-appliance-request-creator`	False	Organization
User Cluster Admin	`user-cluster-admin`	False	Organization
User Cluster Backup Admin	`user-cluster-backup-admin`	False	Organization
User Cluster Developer	`user-cluster-developer`	False	Organization
User Cluster Node Viewer	`user-node-viewer`	False	Organization
VPN Admin	`vpn-admin`	False	Project
VPN Viewer	`vpn-viewer`	False	Project

PA persona, predefined identity, and access roles

PA persona
Name	Management API server permissions	Kubernetes cluster permissions	Escalates to
Audit Logs Platform Restore Bucket Creator	Backup buckets: Read and write	N/A	N/A
Audit Logs Platform Bucket Viewer	Backup buckets: Read	N/A	N/A
AI Platform Admin	AI platform user interface (UI): Read and write	N/A	N/A
Backup Repository Admin	Backup repositories: Create, read, and delete Cluster information: Read	N/A	N/A
Billing Viewer	SKU descriptions, machine inventory, fleets, invoices, and configs: Read	N/A	N/A
Bucket Admin	Bucket and objects: Read and write	N/A	N/A
Bucket Object Admin	Bucket: Read Objects: Read and write	N/A	N/A
Bucket Object Viewer	Bucket and objects: Read	N/A	N/A
Dashboard PA Creator	`Dashboard` custom resources: Read and write	N/A	N/A
Dashboard PA Editor	`Dashboard` custom resources: Read and write	N/A	N/A
Dashboard PA Viewer	`Dashboard` custom resources: Read	N/A	N/A
DR Backup Admin MP	`BackupRepository` resources: Get, list, create, patch, and delete `BackupPlan` resources: Get, list, create, patch, and delete `ManualBackupRequest` resources: Get, list, create, patch, and delete `Backup` resources: Get and list	N/A	N/A
DR System Admin MP	Secrets, buckets, roles, role bindings, and service accounts: Read and write	N/A	N/A
Flow Log Admin	Flow log resources: Read and write	N/A	N/A
Flow Log Viewer	Flow log resources: Read	N/A	N/A
GDCH Restrict By Attributes Policy Admin	GDCH restricted attributes policies: Create, edit, and delete	N/A	N/A
GDCH Restricted Service Policy Admin	GDCH restricted service policies: Create, edit, and delete	N/A	N/A
Global PNP Admin	Project network policies: Get, list, create, patch, update, and delete Project network policy replicas: Get, list, create, patch, update, and delete	N/A	N/A
IdP Federation Admin	Identity provider configs and secrets: Create, read, update, patch, and delete	N/A	N/A
Interconnect Admin	Interconnect attachments: Get, list, watch, create, update, delete, and patch Attachment groups: Get, list, watch, create, update, delete, and patch	N/A	N/A
KMS Rotation Job Admin	`RotationJob` resources: Create, read, update, patch, and delete	N/A	N/A
Log Query API Querier	Log Query API project logs: Read	N/A	N/A
LoggingRule PA Creator	`LoggingRule` custom resources: Read and write	N/A	N/A
LoggingRule PA Editor	`LoggingRule` custom resources: Read and write	N/A	N/A
LoggingRule PA Viewer	`LoggingRule` custom resources: Read	N/A	N/A
LoggingTarget PA Creator	`LoggingTarget` custom resources: Read and write	N/A	N/A
LoggingTarget PA Editor	`LoggingTarget` custom resources: Read and write	N/A	N/A
LoggingTarget PA Viewer	`LoggingTarget` custom resources: Read	N/A	N/A
MonitoringRule PA Creator	`MonitoringRule` custom resources: Read and write	N/A	N/A
MonitoringRule PA Editor	`MonitoringRule` custom resources: Read and write	N/A	N/A
MonitoringRule PA Viewer	`MonitoringRule` custom resources: Read	N/A	N/A
MonitoringTarget PA Creator	`MonitoringTarget` custom resources: Read and write	N/A	N/A
MonitoringTarget PA Editor	`MonitoringTarget` custom resources: Read and write	N/A	N/A
MonitoringTarget PA Viewer	`MonitoringTarget` custom resources: Read	N/A	N/A
ObservabilityPipeline PA Creator	`ObservabilityPipeline` custom resources: Read and write	N/A	N/A
ObservabilityPipeline PA Editor	`ObservabilityPipeline` custom resources: Read and write	N/A	N/A
ObservabilityPipeline PA Viewer	`ObservabilityPipeline` custom resources: Read	N/A	N/A
Org Network Policy Admin	`OrganizationNetworkPolicy` in `platform` namespace: Create, read, update, and delete	N/A	N/A
Organization Backup Admin	`BackupRepositoryManagers`, backup plans, manual backup requests, delete backup requests, backup repositories, VM backup templates, VM backup requests, VM restore requests, and VM delete backup requests: Create, read, and delete Secrets: Create Volume backups and cluster infos: Read VM backup plans, VM backups, VM restores: Read and delete	N/A	N/A
Organization Cluster Backup Admin	`ClusterBackupRepository`:Create, get, list, watch, and delete `ManualClusterBackupRequest` Create, get, list, watch, and delete `ManualClusterRestoreRequest` Create, get, list, watch, and delete `ClusterRestore` Create, get, list, watch, and delete `ClusterBackupPlan` Create, get, list, watch, update and delete `ClusterRestorePlan` Create, get, list, watch, update and delete `ClusterBackup` Get, list, and watch `ClusterVolumeBackup` Get, list, and watch `ClusterVolumeRestore` Get, list, and watch	N/A	N/A
Organization IAM Admin	`IAMRole` and `IAMRoleBinding`: Create, read, update, and delete List project namespace	N/A	Project IAM Admin and all other PA roles
Organization IAM Viewer	Role-based access control (RBAC) objects: Read `IAMRole` and `IAMRoleBinding`: Read	N/A	N/A
Organization DB Admin	Secrets, database versions, flags, maintenance policies, software libraries, database project properties: Read Backup plans and database clusters: Create, read, update, and delete Imports, restores, and failovers: Create, read, and delete Migrations and external servers: Create, read, update, delete, and patch	N/A	N/A
Organization Upgrade Admin	Maintenance windows: Get, list, watch, update, and patch	N/A	N/A
Organization Upgrade Viewer	Maintenance windows: Get, list, and watch	N/A	N/A
Project Creator	Project custom resources (CR): Read and create Fleet CR: Read and create Clusters: Read ATAT portfolio secret: Read, view, and update	N/A	N/A
Project Editor	Project custom resources (CR): Read, delete, patch, update, and view Fleet CR: Read and delete Cluster CR: Read	N/A	N/A
SIEM Export Org Creator	`SIEMOrgForwarder` custom resources and secrets: Get, create, and read	N/A	N/A
SIEM Export Org Editor	`SIEMOrgForwarder` custom resources and secrets: Get, read, update, delete, and patch	N/A	N/A
SIEM Export Org Viewer	`SIEMOrgForwarder` custom resources and secrets: Read	N/A	N/A
System Cluster Backup Repository Admin	Backup repositories: Get, read, create, and delete	N/A	N/A
Transfer Appliance Request Creator	`TransferApplianceRequest` custom resource (CR): Read and create	N/A	N/A
User Cluster Admin	`UserClusterUpgrade`: Read and write `UserClusterMetadata`, `ClusterBgpRouters`, `InventoryMachines`, and project custom resources (CR): Read `CidrClaims`: Create, read, update, and delete `Namespace`: Create and delete `ClusterCidrConfigs` and clusters: Create, read, update, patch, and delete `NodeUpgrades`: Create, read, patch, and update	`Clusters` and `NodePoolClaims`: Read and write `NodePools`, `MachineClasses`, `VirtualMachineTypes`, and `ClusterInfos`: Read	N/A
User Cluster Backup Admin	N/A	Backup and restore plans, manual backup and restore requests, delete backup requests, restores, and backup repositories: Create, read, delete, update, and patch Backups, volume backups, and volume restores: Read `ClusterInfo`: Read	N/A
User Cluster Developer	N/A	Clusters: Read and write	N/A
User Cluster Node Viewer	N/A	Clusters: Read	N/A
VPN Admin	N/A	`VPNGateway`: Create, read, write `PeerGateway`: Create, read, write `VPNBGPPeer`: Create, read, write `VPNTunnel`: Create, read, write	N/A
VPN Viewer	N/A	`VPNGateway`: Read `PeerGateway`: Read `VPNBGPPeer`: Read `VPNTunnel`: Read	N/A

AO Persona, predefined identity and access roles

AO persona
Name	Kubernetes resource name	Initial admin	Level
AI Gemini Flash Developer	`ai-gemini-flash-developer`	False	Project
AI OCR Developer	`ai-ocr-developer`	False	Project
AI Platform Viewer	`ai-platform-viewer`	False	Project
AI Speech Chirp Developer	`ai-speech-chirp-developer`	False	Project
AI Speech Developer	`ai-speech-developer`	False	Project
AI Text Embedding Developer	`ai-text-embedding-developer`	False	Project
AI Text Embedding Multilingual Developer	`ai-text-embedding-multilingual-developer`	False	Project
AI Translation Developer	`ai-translation-developer`	False	Project
Artifact Management Admin	`artifact-management-admin`	False	Project
Artifact Management Editor	`artifact-management-editor`	False	Project
Backup Creator	`backup-creator`	False	Project
Certificate Authority Service Admin	`certificate-authority-service-admin`	False	Project
Dashboard Editor	`dashboard-editor`	False	Project
Dashboard Viewer	`dashboard-viewer`	False	Project
Discovery Engine Admin	`vaisearch-admin`	False	Project
Discovery Engine Developer	`vaisearch-developer`	False	Project
Discovery Engine Reader	`vaisearch-reader`	False	Project
Global Load Balancer Admin	`global-load-balancer-admin`	False	Project
Harbor Instance Admin	`harbor-instance-admin`	False	Project
Harbor Instance Viewer	`harbor-instance-viewer`	False	Project
Harbor Project Creator	`harbor-project-creator`	False	Project
K8s NetworkPolicy Admin	`k8s-networkpolicy-admin`	False	Project
KMS Admin	`kms-admin`	False	Project
KMS Creator	`kms-creator`	False	Project
KMS Developer	`kms-developer`	False	Project
KMS Key Export Admin	`kms-keyexport-admin`	False	Project
KMS Key Import Admin	`kms-keyimport-admin`	False	Project
KMS Viewer	`kms-viewer`	False	Project
Load Balancer Admin	`load-balancer-admin`	False	Project
LoggingRule Creator	`loggingrule-creator`	False	Project
LoggingRule Editor	`loggingrule-editor`	False	Project
LoggingRule Viewer	`loggingrule-viewer`	False	Project
LoggingTarget Creator	`loggingtarget-creator`	False	Project
LoggingTarget Editor	`loggingtarget-editor`	False	Project
LoggingTarget Viewer	`loggingtarget-viewer`	False	Project
Marketplace Editor	`marketplace-editor`	False	Project
MonitoringRule Editor	`monitoringrule-editor`	False	Project
MonitoringRule Viewer	`monitoringrule-viewer`	False	Project
MonitoringTarget Editor	`monitoringtarget-editor`	False	Project
MonitoringTarget Viewer	`monitoringtarget-viewer`	False	Project
Namespace Admin	`namespace-admin`	False	Project
NAT Viewer	`nat-viewer`	False	Project
ObservabilityPipeline Editor	`observabilitypipeline-editor`	False	Project
ObservabilityPipeline Viewer	`observabilitypipeline-viewer`	False	Project
Project Bucket Admin	`project-bucket-admin`	False	Project
Project Bucket Object Admin	`project-bucket-object-admin`	False	Project
Project Bucket Object Viewer	`project-bucket-object-viewer`	False	Project
Project NetworkPolicy Admin	`project-networkpolicy-admin`	False	Project
Project DB Admin	`project-db-admin`	False	Project
Project DB Editor	`project-db-editor`	False	Project
Project DB Viewer	`project-db-viewer`	False	Project
Project IAM Admin	`project-iam-admin`	True	Project
Project Viewer	`project-viewer`	False	Project
Project VirtualMachine Admin	`project-vm-admin`	False	Project
Project VirtualMachine Image Admin	`project-vm-image-admin`	False	Project
Secret Admin	`secret-admin`	False	Project
Secret Viewer	`secret-viewer`	False	Project
Service Configuration Admin	`service-configuration-admin`	False	Project
Service Configuration Viewer	`service-configuration-viewer`	False	Project
Volume Replication Admin	`app-volume-replication-admin`	False	Cluster
Vertex AI Prediction User	`vertex-ai-prediction-user`	False	Project
Workbench Notebooks Admin	`workbench-notebooks-admin`	False	Project
Workbench Notebooks Viewer	`workbench-notebooks-viewer`	False	Project

AO persona, predefined identity, and access roles

AO persona
Name	Management API server permissions	Kubernetes cluster permissions	Escalates to
AI Gemini Flash Developer	Gemini Flash resources: Read and write	N/A	N/A
AI OCR Developer	OCR resources: Read and write	N/A	N/A
AI Speech Chirp Developer	Speech Chirp resources: Read and write	N/A	N/A
AI Speech Developer	Speech resources: Read and write	N/A	N/A
AI Text Embedding Developer	Text Embedding resources: Read and write	N/A	N/A
AI Text Embedding Multilingual Developer	Text Embedding Multilingual resources: Read and write	N/A	N/A
AI Translation Developer	Translation resources: Read and write	N/A	N/A
Backup Creator	N/A	Manual backups and restores: Create, read, and delete Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read	N/A
Certificate Authority Service Admin	Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch	N/A	N/A
Dashboard Editor	`Dashboard` custom resources: Get, read, create, update, delete, and patch	N/A	N/A
Dashboard Viewer	`Dashboard`: Get and read	N/A	N/A
Discovery Engine Admin	`Discovery Engine`: Get, read, create, update, delete, and patch	N/A	N/A
Discovery Engine Developer	`Discovery Engine`: Get and read	N/A	N/A
Discovery Engine Reader	`Discovery Engine`: Read	N/A	N/A
Global Load Balancer Admin	N/A	`HealthCheck`: Get, watch, list, create, patch, update, and delete `BackendService`: Get, watch, list, create, patch, update, and delete `ForwardingRuleExternal`: Get, watch, list, create, patch, update, and delete `ForwardingRuleInternal`: Get, watch, list, create, patch, update, and delete	N/A
Harbor Instance Admin	Harbor instances: Create, read, update, delete, and patch	N/A	N/A
Harbor Instance Viewer	Harbor instances: Read	N/A	N/A
Harbor Project Creator	Harbor instance projects: Create, get, and watch	N/A	N/A
K8s NetworkPolicy Admin	`NetworkPolicy` resources: Create, read, get, update, delete, and patch	N/A	N/A
KMS Admin	`AEADKey`: Create, read, update, delete, patch, encrypt, and decrypt `SigningKey`: Create, read, update, delete, patch, and sign `KeyImport` and `KeyExport`: Read	N/A	N/A
KMS Creator	`AEADKey` and `SigningKey`: Create and read	N/A	N/A
KMS Developer	`AEADKey` in the project namespace: Read, encrypt, and decrypt `SigningKey` in the project namespace: Read and sign	N/A	N/A
KMS Key Export Admin	`KeyExport` resource: Create, read, update, patch, and delete	N/A	N/A
KMS Key Import Admin	`KeyImport` resource: Create, read, update, patch, and delete	N/A	N/A
KMS Viewer	`AEADKey`, `SigningKey`, `KeyImport`, `KeyExport`: Read	N/A	N/A
Load Balancer Admin	N/A	`Backend`: Get, watch, list, create, patch, update, and delete `HealthCheck`: Get, watch, list, create, patch, update, and delete `BackendService`: Get, watch, list, create, patch, update, and delete `ForwardingRuleExternal`: Get, watch, list, create, patch, update, and delete `ForwardingRuleInternal`: Get, watch, list, create, patch, update, and delete	N/A
LoggingRule Creator	`LoggingRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingRule Editor	`LoggingRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingRule Viewer	`LoggingRule` custom resources: Read	N/A	N/A
LoggingTarget Creator	`LoggingTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingTarget Editor	`LoggingTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
LoggingTarget Viewer	`LoggingTarget` custom resources: Read	N/A	N/A
Marketplace Editor	N/A	Service instances: Create, update, and delete	N/A
MonitoringRule Editor	`MonitoringRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringRule Viewer	`MonitoringRule` custom resources: Read	N/A	N/A
MonitoringTarget Editor	`MonitoringTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringTarget Viewer	`MonitoringTarget` custom resources: Read	N/A	N/A
Namespace Admin	N/A	All resources: Read and write access in the project namespace	N/A
NAT Viewer	N/A	Deployments: Get and read	N/A
ObservabilityPipeline Editor	`ObservabilityPipeline` resources: Get, read, create, update, delete, and patch	N/A	N/A
ObservabilityPipeline Viewer	`ObservabilityPipeline` resources: Get and read	N/A	N/A
Project Bucket Admin	Bucket: Read and write in the project namespace	N/A	N/A
Project Bucket Object Admin	Bucket: Read Objects: Read and write	N/A	N/A
Project Bucket Object Viewer	Bucket and objects: Read	N/A	N/A
Project IAM Admin	`IAMRoleBinding` and `IAMRole`: Create, read, update, delete, and bind `ProjectServiceAccount`: Create, read, update, and delete List project namespace	N/A	All other AO roles
Project NetworkPolicy Admin	Project network policies: Read and write in the project namespace	N/A	N/A
Project DB Admin	Database versions, flags, maintenance policies, software libraries, and database project properties: Read Backup plans and database clusters: Create, read, update, and delete Imports, exports, and restores: Create, read, and delete Secrets: Create, delete, and update Migrations and external servers: Create, read, update, delete, and patch	N/A	N/A
Project DB Editor	Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read Imports: Create, read, and delete Database clusters: Read and update Secrets: Create and delete	N/A	N/A
Project DB Viewer	Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read	N/A	N/A
Project Viewer	All resources in the project namespace: Read	N/A	N/A
Project VirtualMachine Admin	Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete Virtual machine restart: Put Virtual machine images, backup plans, and backup plan templates: Read	N/A	N/A
Project VirtualMachine Image Admin	VM images: Read VM image imports: Read and write	N/A	N/A
Secret Admin	Kubernetes secrets: Read, create, update, delete, and patch	N/A	N/A
Secret Viewer	Kubernetes secrets: Read	N/A	N/A
Service Configuration Admin	`ServiceConfigurations`: Read and write	N/A	N/A
Service Configuration Viewer	`ServiceConfigurations`: Read	N/A	N/A
Vertex AI Prediction User	Online Predictions: Read and write	N/A	N/A
Volume Replication Admin	`Volume failovers, volume relationship replicas`: Create, get, list, watch, delete	N/A	N/A
Workbench Notebooks Admin	N/A	Notebook custom resources (CR) in the project namespace: Create, read, update, and delete `ClusterInfo` objects: Read	N/A
Workbench Notebooks Viewer	N/A	Notebook custom resources (CR) in the project namespace: Read	N/A
Workload Viewer	N/A	Pod custom resources in the project namespace: Read Deployment custom resources in the project namespace: Read	N/A

Common predefined identity and access roles

Common roles
Name	Kubernetes resource name	Initial admin	Level
AI Platform Viewer	`ai-platform-viewer`	False	Project
DB UI Viewer	`db-ui-viewer`	False	Project
DB Options Viewer	`db-options-viewer`	False	Project
DNS Suffix Viewer	`dnssuffix-viewer`	False	Organization
Flow Log Admin	`flowlog-admin`	False	Organization
Flow Log Viewer	`flowlog-viewer`	False	Project
Marketplace Viewer	`marketplace-viewer`	False	Project
Pricing Calculator User	`pricingcalculator-user`	False	Project
Project Discovery Viewer	`projectdiscovery-viewer`	False	Project
Public Image Viewer	`public-image-viewer`	False	Organization
Virtual Machine Type Viewer	`virtualmachinetype-viewer`	True	Organization
VM Type Viewer	`vmtype-viewer`	False	Organization

Common predefined identity and access roles

Common roles
Name	Admin cluster permissions	User cluster permissions	Escalates to
AI Platform Viewer	Pre-trained services: Read	N/A	N/A
DB Options Viewer	DBS configurations: Read	N/A	N/A
DB UI Viewer	DBS UI configurations: Read	N/A	N/A
DNS Suffix Viewer	DNS suffix config maps: Read	N/A	N/A
Flow Log Admin	Flow log resources: Get and read	Flow log resources: Get and read	N/A
Flow Log Viewer	Flow log resources: Create, get, read, patch, update, and delete	Flow log resources: Create, get, read, patch, update, and delete	N/A
Marketplace Viewer	Service versions: Read	N/A	N/A
Pricing Calculator User	N/A	`SkuDescriptions`: Read	N/A
Project Discovery Viewer	Projects: Read	N/A	N/A
Public Image Viewer	VM images: Read	N/A	N/A
VM Type Viewer	VM types: Read	N/A	N/A